Description
A vulnerability was determined in Mindinventory MindSQL up to 0.2.1. The affected element is the function ask_db of the file mindsql/core/mindsql_core.py. Executing a manipulation can lead to sql injection. The attack can be launched remotely. The exploit has been publicly disclosed and may be utilized. The vendor was contacted early about this disclosure but did not respond in any way.
Published: 2026-03-20
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: SQL Injection
Action: Immediate Patch
AI Analysis

Impact

This vulnerability arises from unescaped input in the ask_db function of the mindsql_core.py module. An attacker can supply crafted SQL statements that are then executed directly against the database, enabling unauthorized read, modification, or deletion of data. The weakness aligns with CWE‑74 (Untrusted Input Reflected in Command) and CWE‑89 (SQL Injection). The potential impact is the compromise of database contents and operations, which could lead to loss of confidentiality, integrity, or availability of the application.

Affected Systems

The affected product is Mindinventory MindSQL, with all releases up to and including version 0.2.1. No other versions are listed as impacted in the current data set. The vulnerability is present in the core module's ask_db functionality.

Risk and Exploitability

The CVSS score is 5.3, indicating moderate severity. No exploit probability score is available, and the vulnerability is not listed in the CISA KEV catalog. The attack can be launched remotely without prior authentication, and malicious users can inject arbitrary SQL statements into the application. Because the vulnerability has been publicly disclosed, the likelihood of exploitation is non‑negligible, especially for instances exposed to untrusted networks.

Generated by OpenCVE AI on March 20, 2026 at 23:24 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Verify the installed MindSQL version; if it is 0.2.1 or older, note the risk.
  • Restrict external network exposure to the MindSQL service using firewall rules or network segmentation.
  • Monitor Mindinventory for a security patch; apply any available update as soon as it is released.
  • Implement input validation or switch to parameterized queries in the ask_db function to prevent untrusted SQL execution.

Generated by OpenCVE AI on March 20, 2026 at 23:24 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 23 Mar 2026 17:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 23 Mar 2026 10:00:00 +0000

Type Values Removed Values Added
First Time appeared Mindinventory
Mindinventory mindsql
Vendors & Products Mindinventory
Mindinventory mindsql

Fri, 20 Mar 2026 22:15:00 +0000

Type Values Removed Values Added
Description A vulnerability was determined in Mindinventory MindSQL up to 0.2.1. The affected element is the function ask_db of the file mindsql/core/mindsql_core.py. Executing a manipulation can lead to sql injection. The attack can be launched remotely. The exploit has been publicly disclosed and may be utilized. The vendor was contacted early about this disclosure but did not respond in any way.
Title Mindinventory MindSQL mindsql_core.py ask_db sql injection
Weaknesses CWE-74
CWE-89
References
Metrics cvssV2_0

{'score': 6.5, 'vector': 'AV:N/AC:L/Au:S/C:P/I:P/A:P/E:POC/RL:ND/RC:UR'}

cvssV3_0

{'score': 6.3, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}

cvssV3_1

{'score': 6.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}

cvssV4_0

{'score': 5.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P'}

Subscriptions

Mindinventory Mindsql
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-03-23T16:45:19.432Z

Reserved: 2026-03-20T14:08:36.652Z

Link: CVE-2026-4507

cve-icon Vulnrichment

Updated: 2026-03-23T16:45:11.598Z

cve-icon NVD

Status : Deferred

Published: 2026-03-20T22:16:30.170

Modified: 2026-04-29T01:00:01.613

Link: CVE-2026-4507

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-25T14:34:24Z

Weaknesses